SCOTTSDALE, Ariz. and SAN DIEGO–The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911).
The organizations reported that number of breaches represents a substantial hike of 40% over the near record high of 780 reported in 2015. The analysis also acknowledges that the increase could reflect the fact more states are now making this information publicly available?
“With support from CyberScout, the ITRC has been able to heighten its efforts in tracking breaches nationwide by seeking out information on breach incidents through direct contact with numerous states’ attorney general offices as well as by submitting Freedom of Information Act requests,” said Eva Velasquez, president and CEO, ITRC. “For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available. This year we have seen a number of states take this step by making data breach notifications public on their websites. The ITRC Data Breach Report 2016 now includes information from more than a dozen state agencies.”
According to the companies, since 2005 the ITRC has been identifying data breaches in five industry sectors. In 2016, the business sector again topped the list in the number of data breach incidents, with 494 reported, representing 45.2% of the overall number of breaches. This was followed by the healthcare/medical industry (377 incidents), representing 34.5% of the overall total. The education sector (98) followed at 9.0%, the government/military (72) at 6.6% and the banking/credit /financial sector (52) at 4.8%.
The organizations reported that number of breaches represents a substantial hike of 40% over the near record high of 780 reported in 2015. The analysis also acknowledges that the increase could reflect the fact more states are now making this information publicly available?
“With support from CyberScout, the ITRC has been able to heighten its efforts in tracking breaches nationwide by seeking out information on breach incidents through direct contact with numerous states’ attorney general offices as well as by submitting Freedom of Information Act requests,” said Eva Velasquez, president and CEO, ITRC. “For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available. This year we have seen a number of states take this step by making data breach notifications public on their websites. The ITRC Data Breach Report 2016 now includes information from more than a dozen state agencies.”
According to the companies, since 2005 the ITRC has been identifying data breaches in five industry sectors. In 2016, the business sector again topped the list in the number of data breach incidents, with 494 reported, representing 45.2% of the overall number of breaches. This was followed by the healthcare/medical industry (377 incidents), representing 34.5% of the overall total. The education sector (98) followed at 9.0%, the government/military (72) at 6.6% and the banking/credit /financial sector (52) at 4.8%.
Leading Types of Data Breaches
In 2007, the ITRC reported it began adding categories to identify data breach incidents by the “type of occurrence.” For the eighth consecutive year, hacking/skimming/phishing attacks were the leading cause of data breach incidents, accounting for 55.5% of the overall number of breaches, which is an increase of 17.7% over 2015 figures. Of these, many were a result of CEO spearphishing efforts (also known as business email compromise schemes) in which highly sensitive data, typically information required for state and federal tax filings, was exposed.
Breaches involving accidental email/Internet exposure of information was the second most common type of breach incident at 9.2% of the overall number of breaches followed by employee error at 8.7%, the organizations said. With the exception of hacking, all other categories reflected decreases from 2015 figures.
“The business sector seemed to be the target of these attacks, as many of these occurrences resulted from CEO spear phishing efforts,” noted Bill Hardekopf, CEO at LowCards.com, Birmingham, Ala. “In these types of attacks, cybercriminals send an employee an official-looking email that encourages them to click a link, which in turn gives hackers access to the employee's corporate network. Sensitive business data, including state and federal tax filings, is then exposed. In 2017, the IRS has reported a 400% surge in these attacks, which has prompted industry and consumer alerts from the organization.”
“For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks,” said Matt Cullina, CEO of CyberScout and vice chair of ITRC’s board, in a released statement. “With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution.”
Since 2010, the ITRC said it has been tracking breaches involving Social Security numbers (SSNs) and credit card/debit card numbers. Exposure of SSNs was evidenced in 52.0% of the overall number of breaches in 2016, representing an increase of 8.2% over 2015 figures. Exposure of records involving credit/debit cards at 13.1%, reflects a decrease of 7.4% from 2015. With that said, it is important to remember that most data breach notifications or media reports do not include the type of information exposed. The spike in SSN exposures is in clear alignment with the surge of CEO spear phishing attacks, which target this type of information.